Decoy adware sparks garbled print job mayhem
- — 22 June, 2012 10:49
A double barrel malware threat is causing havoc across enterprises in the US, India and Europe by forcing printers to spew ‘garbled’ text on reams of paper.
Malware is typically designed to remain hidden to the user and in this case two pieces of malware work in tandem to ensure they remain off the antivirus radar, but an apparent coding error has blown its cover by sending networked printers off the cliff.
The Sans Institute two weeks ago raised concerns about a potential “print bomb” doing the rounds, noting several reports of an executable file causing unusual print outs.
On Thursday Symantec cleared up questions over its cause, explaining it appears to be an unintended side effect of malware that was just trying to remain obscured.
Symantec says an outbreak of the ‘Milicenso’ trojan is behind those reports, but the trojan is not actually causing printers to spit “garbage characters” until it the paper tray is empty.
The trojan works in tandem with adware Symantec identifies as Eoreze whose main purpose is to help the trojan evade detection. By exploiting its low level status as adware it serves as a decoy to the more serious threat of the trojan.
Instead of going silent when Miliecenso hits an AV engine’s sandboxed environment, Eoreze makes noise by connecting to its target domains, increasing the odds the trojan remains ignored.
The problem with Eorezo, which really does redirect victims to French language websites, is that the .spl file it creates to aid the infection process can also trigger massive print jobs.
“Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs,” said Symantec.
“Based on what we have discovered so far, the garbled printouts appear to be a side effect of the infection vector rather than an intentional goal of the author.”
Follow @CSO_Australia and sign up to the CSO Australia newsletter.
Get exclusive access to CSO, invitation only events, reports & analysis. 
